IDTokenUnwrapAndVerifyValve
Warning
This valve is usually used with the legacy OIDC authenticators. If that is the case, it is recommended to plan for migrating the authenticator to the new protocol agnostic authenticator architecture, where this valve won't be needed anymore since it's already builtin. More information about the legacy authenticators can be found here.
Note
Parses a JWT ID and verifies date, issuer & audience. Used this valve when acting as an OIDC RP.
Parameters found in the id token is stored in the first item found. If an item is not present one will be created.
Properties
| Name | Description | Default value | Mandatory | Supports property expansion |
|---|---|---|---|---|
| token_parameter | Where to find the JWT token | id_token | true | Yes |
| performTimeValidation | If to verify time expiration true/false. | true | true | No |
Example Configuration
{
"name": "IDTokenUnwrapAndVerifyValve",
"config": {
}
}
Requirements
- expected_issuer parameter must be present and match the "issuer" in the token.
- client_id parameter must be present and match the "aud" in the token.
- Will create an item in the flow with a random id if no item exists.
General information
Only first level data in the token is extracted for complex id_token structure, consult support.